You have Javascript disabled. While you will be able to browse this site without Javascript, some functionality on this site will not work without it. We strongly recommend enabling Javascript in your browser. This site uses cookies and collects data about visitor behavior for improving user experience, identifying returning visitors, and providing personalized offers. Your continued use of this site indicates your consent to this. See Privacy Policy for details or if you wish to disable cookies.

Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

This site uses cookies and collects data about visitor interaction for improving user experience, identifying returning visitors, and providing personalized offers. Your continued use of this site indicates your consent to this. See Privacy Policy for details or if you wish to disable cookies.

Connections and Encryption

On the Connections and Encryption page, you can create connection rules that restrict connections based on various selectors. You can also set the ciphers and MACs used for the connections.

The selectors define which connections a connection rule applies to. The order of the rules is important. The first matching rule is used and the remaining rules are ignored.

If no selectors (or only empty selectors) are specified in a connection rule, the rule matches all connections. In the simple GUI mode, there is only one connection rule that is used for all connections.

If a user does not match any selectors in the connection rules, the connection is allowed with server default connection settings.

To add a new connection rule, click the Add button below the tree view. Each rule will have a sub-page with two tabs. On the Selectors tab, you can edit the selectors of the rule and define whether the connection is allowed or denied, and on the Parameters tab, you can configure the settings for the rule.

To edit a connection rule, select a connection item on the tree view. For more information, see Editing Connection Rules.

To change the order of the rules, select a connection item on the tree view and use the Up and Down buttons. The rules are read in order, and the first matching connection rule on the list is used.

To delete a connection rule, select a connection item and click Delete.

Editing Connection Rules

Each item under Connections and Encryption has two tabs, Selectors and Parameters. The Selectors tab is shown only in the advanced GUI mode.

Selectors (Advanced Mode)

On the Selectors tab, you can configure the selectors that apply to the connection rule and define whether the connection is allowed or denied.

To add a new selector to the rule, click Add Selector. The new selector will contain automatically at least one attribute. The Add Selector dialog box opens allowing you to specify the selector type. For more information on the different selector attributes, see Editing Selectors.

Only the Interface and IP selector attributes are relevant for connection rules. For example, the user name is not yet available when the connection rules are processed. For more information, see Using Selectors in Configuration File.

To remove a selector, choose the selector from the list view on the Selectors tab and click Delete Selector. This will delete the selector and all its attributes.

To add a new attribute to a selector, choose a selector from the list and click Add Attribute. The Add Selector dialog box opens. For more information on the different selector attributes, see Editing Selectors.

To edit a selector attribute, choose the attribute from the list and click Edit Attribute. The relevant selector dialog box opens. For more information on the different selector attributes, see Editing Selectors .

To remove a selector attribute, choose the attribute from the list and click Delete Attribute. Note that a selector with no attributes will match everything.

Connections

Select whether the connection is allowed or denied.

If you select to deny the connection, the Parameters tab is disabled.

Parameters

On the Parameters tab, you can configure the allowed ciphers and MACs for the connection.

Select this check box to send keepalive messages to the other side. If they are sent, a broken connection or crash of one of the machines will be properly noticed. This also means that connections will die if the route is down temporarily.

Rekey Interval

Specify the number of Seconds or transferred Bytes after which the key exchange is done again.

If a value for both Seconds and Bytes is specified, rekeying is done whenever one of the values is reached, after which the counters are reset.

The defaults are 3600 seconds (1 hour) and 1000000000 bytes (~1 GB). The value 0 (zero) turns rekey requests off. This does not prevent the client from requesting rekeys.

Encryption

Under Encryption, select the Ciphers and MACs allowed for the connection from the list. To select several ciphers or MACs, hold down the Ctrl key while clicking.

By default, the following ciphers are allowed:

CryptiCore

AES-128-CBC

AES-192-CBC

AES-256-CBC

AES-128-CTR

AES-192-CTR

AES-256-CTR

3DES

SEED

The ciphers that can operate in the FIPS mode are 3DES and the CBC-mode AES-128, AES-192, and AES-256. (The counter mode AES ciphers are not available in FIPS mode.)